Preparing for the GDPR
Regulatory compliance requires a considered approach
The new ‘General Data Protection Regulation’ (GDPR) will come into effect on 25 May 2018, creating a unified data protection legislation across all EU member states. The GDPR will change the way organizations collect, use, and manage personal data from the EU. Companies collecting personal data from the EU will need to take a considered approach to their personal data collection and protection practices.
Prior to the GDPR, each country within the EU had different data protection laws, making it difficult for companies to comply across Europe. Because the GDPR creates single data protection regime for Europe, Companies can comply at the European level rather than on a country-by-country basis.
Although the GDPR is an EU regulation, it won't only affect companies in the EU, but also companies that collect personal data from the EU. For consumers in Europe, the GDPR helps to protect their privacy and stop unwanted solicitation.
At Optimizely, we are aware of the effort it takes to meet GDPR requirements. This is how we’re getting ready.
Trust and transparency are core values of Optimizely and we are proud of our security and privacy certifications such as SOC-2 and ISO. To help you understand what we are doing for GDPR, we created a document to answer frequently asked questions, which you will find below.David Schwarzbach
As IP addresses could be considered personal data, Optimizely allows you to easily anonymize IP addresses by removing the last block of your visitors’ IP address before storing event data.
By default, our snippet communicates with optimizely.com using Transport Layer Security (TLS), which is regularly updated to use updated ciphersuites and TLS configurations.
Data Deletion and Access
Under the GDPR, data subjects may request access to or erasure of personal data stored by a company. We are building tools and processes to help our customers fulfil these requests.
For the event data we collect, our support engineers will work with you to export and erase the records associated with identifiers you provide.
Once the GDPR takes effect, companies may want to review the cookies and local storage objects set by their EU websites. Optimizely can be integrated with popular tag management and cookie banner tools to make it easier for you to customize your approach to cookie compliance. In addition, you can set a custom cookie expiration through our APIs.
Optimizely’s security, privacy, and compliance team has reviewed our product features and conducted an assessment of organizational requirements for compliance with the GDPR. It has developed and is implementing a GDPR compliance plan across our organization with buy-in from executive-level members of our organization.
Training and Privacy Awareness
As part of our employee onboarding and continuous training, members of our engineering and product teams learn about privacy. In addition, software engineers receive software security training annually. All efforts are overseen by our security, privacy and compliance team.
Data Mapping and Privacy Impact Assessment
To verify that our privacy practices are appropriate, we have conducted an initial data mapping exercise and further are conducting a Privacy Impact Assessment (PIA) to assess how we collect, process and store personal data and determine potential privacy impacts.
Informational Security Policies
We have published informational security and data protection policies governing when employees and contractors can access data stores containing your data.
The GDPR restricts the export of personal data to countries outside the EU and the European Economic Area (EEA) unless certain controls are in place. We have certified to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks for customer-related personal data collected by Optimizely, if any. This provides customers with the option of relying on these frameworks for the transfer of data from the EU to the U.S.
We leverage advanced technology designed to detect and avoid threats. If needed, our rigorous 24/7 incident management program allows us to respond to security or privacy events promptly. We have implemented a data breach and incident response plan. In case of an incident involving your customer data, we will inform you per the terms of your agreement with us.
We review new product functionality according to stringent security and privacy guidelines throughout the entire software development cycle.
We have conducted security and privacy reviews of our vendor contracts. As a result we have DPAs with vendors who process personal data, we have collected for you, if any.
To support your efforts to provide EU-compliant contractual protections, we have created a GDPR-ready Data Processing Agreement (DPA).
Data Protection Officer
We have selected a Data Protection Officer (DPO) to oversee our privacy program.
Learn more about the privacy impact of using Optimizely with this summary of frequently asked privacy questions.Download PDF
It’s time to get ready for the GDPR
Review your data collection practices to ensure you have appropriate permissions, where necessary, to collect information from your visitors. Consider using just-in-time privacy notices if needed to obtain consent. Also consider how to communicate the value of the additional services provided, which is a great opportunity for experimentation to maximize the opt-in rate.
Create a process to address data subject access request, including how you plan to authenticate the data subject. Review your existing vendor relationships to see whether they offer appropriate protections for your data.
Review your data collection practices and think about how to minimize the collection of personal data. Consider turning on IP anonymization or shortening your cookie expiration policies.